How to build a hijack-proof airplane

This writeup may seem a little cold and mechanical to some people, in the aftermath of the atrocity in New York this past week. I am as distraught as anyone that someone thought it would be a good idea to kill thousands of innocent people. But when tragedy strikes, I tend to dwell on solutions, rather than on the tragedy itself - that's just who I am. So if this offends you in any way, I apologize, but I feel the need to get these ideas out.

On Tuesday, September 11, 2001, it became painfully aware that passenger airplanes, especially those in the United States, are extremely susceptible to hijacking. Ironically, a friend and I were discussing this very subject, a little over a month ago: "Why do terrorists hijack airplanes, and why are airplanes so susceptible to hijacking?"

Why do they hijack airplanes? Several reasons:

Once they are in the air, there is (essentially) no way for anyone outside of the airplane to give any resistance to the hijackers.

If you can take control of the right kind of plane, you can fly to virtually any destination in the world

Planes are usually filled with a large number of generally docile civilians, who make good hostages.

If you want to inflict a large amount of damage to a structure, with a minimum financial cost to yourself, and don't mind dying in the process, crashing a plane is apparently an effective way to do it.

Why are airplanes so susceptible to hijacking? In a typical scenario, a terrorist armed with some high-damage-potential weapon (a bomb, a gun) gets control of the plane's cabin, and once that is under control, proceeds to coerce the pilots in the cockpit of the plane to either surrender control of the plane, or to direct the plane according to the instructions of the hijackers. Now, there are three main ways to gain control of the cockpit:

Kill the pilots, seize control. This is only effective if you are on a suicide mission and don't care about skilled flying, as was the case in the World Trade Center attack, or if one of the hijackers is a skilled passenger-airplane pilot.

Coerce the pilots to fly where you want, by threatening their lives directly. Most people won't say "no" to pretty much anything you demand (except for something like "fly into that building over there"), if they have a gun to their head, or a knife to their throat, so this is a pretty common way of doing things.

Coerce the pilots to fly where you want, by threatening the lives of their passengers. Unless they are totally heartless, people will comply in order to save someone else's life.

Ok, so how do you counteract all of these methods of taking control? Clearly the planes currently being used in the United States have little innate defense against hijacking. No, a lockable, flimsy door between the cabin and cockpit does not count. If you have been watching the news for past few days, you will have heard members of the media decrying the pitifulness of these doors.

However, their proposals as to what should be done about it are almost as lame as what we have now. So far I have heard:

Do as the Israeli airline does, add armed guards at the door? Well, that would probably help, but the problem is still present: the guards, like the rest of the crew, can be overpowered, killed, etc.

Beef up the door's strength. Well, the fact is that flight attendants all carry the keys to the door, and are in the vulnerable cabin means that no matter how strong the door is, either side can open it. Even if you remove the keys, a door is a door, and unless it is a bank vault, it's going to be fairly easy to open, with the appropriate application of brute force and ignorance. Also, even if only openable from the inside, hijackers can always lure pilots out by threatening or killing passengers.1,

Arm the pilots.2 Allow passengers to carry guns onto the plane. While I would support both of these, and they certainly would help, they have nothing to do with the design of the plane, and they just lower the probability of a succesful hijacking, they do not eliminate it. Current political attitudes toward gun control in the US are not conducive to this anyway, so it's probably not feasible...

What I have not heard, but I have now discussed with several people (my roommates, some friends), are two sets of design changes. According to the roommate I discussed this with the most, he had thought of similar ideas, also a few weeks ago. They're not terribly complex or unreasonable ideas, so I would have expected for someone to think of them before, however, searching the Web, and listening to the news, I haven't found anything like this. (Perhaps some Boeingengineers have already had these ideas and been forced by management to abandon them? Who knows? And far be it from me to accuse "management" of pooh-poohing good ideas...)

Remove the door between the cabin and cockpit, and replace it with a bulkhead, so that it is not possible to access one from the other. Pilots would enter through one entrance, passengers through their own. With no way to get to the cockpit from the cabin the first two methods of taking control of the airplane (killing the pilots, holding a gun to the pilots' heads) are negated due to physical impossibility. The third (using hostages to coerce the pilots) is still viable, which brings us to the next point:

Remove all ability for the cabin to communicate with the cockpit, except for a button that tells the cockpit "There is an emergency situation in the cabin, please land the plane immediately". Since that is really the only thing a pilot can reasonably do in an emergency during a flight anyway, it makes sense that that is all the cabin should be able to communicate to the cockpit. Of course, the cockpit should still be allowed to talk to the cabin - "We are now cruising at an altitude of thirty thousand feet", and such. With this measure in place, the third and only remaining cockpit-takeover-option, "threaten the cabin members to coerce the pilots" is no longer possible, since there's no way for the pilots to actually know that such a threat is being made...

The second approach is similar to the first, but quite a lot harder to implement, mainly because it would require a lot more engineering than is required for a bulkhead and an external door...

As in the first situation, remove the ability for the cabin to talk to the pilots.

Take the pilot-passenger separation to a new extreme: remove the pilots from the airplane entirely, and fly via remote control! More specifically, instead of having a cockpit with instruments and controls, send a signal to a ground-based flight simulator, which houses the pilot.*

If that last step seems somewhat outrageous, let me point out why it really isn't:

Modern passenger aircraft are flown largely by instrumentation these days anyway (in fact, pilots are trained to be able to fly and land in zero visibility, using only the instrument panel). The ability to actually "be there" to see what's going on outside is quite unnecessary, and could be quite effectively replaced by having external video cameras.

Large commercial aircraft are not very manouevrable - everything in smooth, slow movements - so any latency introduced in the process of getting signals between the pilot on the ground and the plane in the air is more-or-less masked by the latency inherent in controlling the aircraft itself.

Control and instrumentation information would have to be transferred over a secure channel, of course, possibly with a one time pad, possibly with public key encryption, but whatever it is, it would have to be strong encryption. Otherwise, it would be extremely vulnerable to being cracked. Well, to be able to overide an existing connection would require a lot of radio power - power which would be very traceable to the source, and breaking strong encryption is, well, "hard". So while it's an issue, it isn't an insurmountable one. The other vulnerability is signal jamming - this is easily handled though, since any jamming signal can, by nature if it being intensely strong, be traced to its source and stopped, extremely quickly - this applies even more than in the overriding-signal attack. In any case, during a jamming attack, the autopilot can do its thing, until the jamming signal stops, or enough distance is put between the jamming signal and the plane is enough that the real control signal can get through.3

So why would you go to these lengths to hijack-proof a plane? Well, ask yourself this: if hijackers are no longer able to take over an airplane, why would they try? Answer: "They wouldn't."

I hope the next plane I fly in is hijack-proof. (If anyone out there works at an aircraft manufacturer, or knows someone who does, I'd love it if you suggested these things to them.. I would, but I don't know anyone there.)

*Of note is the fact that this system also provided some other advantages: pilots can work in shifts, if they get tired, they can be replaced, emergencies can be handled by more experienced pilots, instrumentation can be less space-constrained, planes can be lighter, pilots wouldn't be restricted to flying from where they land, or even flying only one plane at once! ... well, you get the picture. That's all for another node, anyway.

1thanks to mr100percent for pointing this out - I was unaware of it, before.

I would like to point out one thing about the remote controlled planes part. If someone can control it from the ground, someone else can control it from the ground. Thus, this would lead to people hijacking a plane through hacking the control system. Perhaps "hack-jacking". You mention the strong encryption, but that will be broken. It always is. It would also incur great costs in research for new encryption systems and implementing those systems every time one is hacked. But then, only one being hacked would be enough for massive destruction, thus defeating the purpose.

You also mention that the military uses this technology already, and you may point out that they haven't been hacked. My response to this is that they have the power to keep technology classified. The public sector would not have this luxury. The technology would be widespread, as I expect it would be implemented for every airline in the nation. Being so widespread, the knowledge of how it works would already be subject to falling in the wrong hands, and private citizens would most likely work on the systems. This adds to the number of people with this powerful knowledge. It would be extremely difficult for the airlines to implement this technology and still keep it a secret.

A ground control system that could take over in the event of a hijacking would be best, rather than relying on one the entire time. Even then, nuclear-launch-control security would need to be implemented. The pilots should be on the plane. Everything else, I agree with.
Response to -Brazil- :
The only thing encryption will protect you against is someone intercepting transmissions. Sure, this is helpful - it protects passwords, prevents spoofing, etc. But what happens when someone hacks into the machine controlling the plane? No encryption there.

The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and I'm not even too sure about that one. -- attributed to Dennis Huges, FBI

In short, what I was trying to say is this: There is no computer that cannot be hacked. If the plane is controlled through a computer, that computer can and will be hacked.

yabai is quite wrong about the vulnerability of strong encryption as anyone who's versed in the mathematics involved knows. However, there is another, much bigger vulnerability in the concept: what about interference? Instead of taking over the plane, one could just bombard it with white noise on the control frequency. During complex maneuvers such as starting and landing, this would hav almost certainly catastrophic results. No, there are good reasons not to trust technology too far.

I actually read the other suggestion (remove communications between cockpit and passenger cabin) before, in a book from the 70ies written by Paul Watzlawick. He said it was infeasible because there were situations were such communication was absolutely necessary. The "emergency button" sounds like an interesting solution, but I'm not sure if it would be really sufficient.

I agree with the above statements regarding remote controlled passenger planes. I do believe that sooner rather than later remote piloted cargo planes will likely become prevelant. (http://www.dsto.defence.gov.au/globalhawk/coverage/gb230401.html)

This week's events will likely play a large part in the adoption of drones for cargo flights. With no pilots, no passengers, and no human interaction, as long as you have sufficiently strong encryption and a signal strength capable of punching through any possible interception, drone flight is relatively free of the risks now apparent in having tubes of jet fuel flying through the air.

However, I don't feel that the "Bulkhead" option is likely to be adopted either. It has been my understanding that one of the things that allows cockpit crews and flight attendents to remain sane in what is one of the most insane working environments possible. The interaction between the cockpit crews and the flight crews is a major reason why I don't see the bulkhead being implemented.

As for possible engineering solutions to what is essentially a sociological problem, I forsee bulking up of the cabin door, possibly the creation of "security bulkheads" like you see in prisons, where unmovable doors can be dropped in tense situations to partition up the aircraft. (Cutting off terrorists from each other and hopefully, from passengers and pilots.)

One of the other things I have heard discussed is a "DeadMan's Switch". As it's been mentioned before, most planes are flown by wire at this point. Something I've heard discussed is the ability to drop the plane into an unalterable flight path. This flight path would remove the ability of the pilots to actually fly the plane, and thus defuse possible demands potential terrorists would place on the pilots. This last ditch flight path would set the plane on a flight path to the nearest available airport, only returning control to the pilots when it was time to land.

Reinforce the doors to the cockpit, put a couple of armed guards just outside them. As iocane pointed out, you may want to replace their guns with weapons designed not to puncture aircraft, such as electro-stun and sleepygas.

Have a panic button in the cockpit and just outside it that does the following:

Closes and locks the doors so that they cannot be opened until after the plane has landed.

Give air trafic control the option to take control of the plane remotely. This is harder, and may not be neccesary. I don't see this option being feasable right now for passenger craft without it being deliberately engaged by both sides, and only as a backup to the pilot - an emergency measure rather than the norm. Maybe someday, after years of using remote piloting for unmaned craft and proving it's robustness, we'll be ready to routinely entrust our lives to unpiloted aircraft, but not yet.

Or an even more cautious approach- divide the plane into 3 sections:
The passenger section is largest, takes up all except the front of the plane.
The crew section is in front of that, seperated from the passenger secion by a reinforced door.
The cockpit is at the front, seperated from the crew section by a second reinforced door.

Both doors should be kept closed unless they need to be opened. Unauthorised persons entering the crew section should be cause for alarm. The system should ensure that the two reinforced doors cannot both be opened at the same time, or even just after each other. Thus the cockpit cannot be rushed and there is always time to press a panic button.

Put armed guards outside the cockpit door, right next to the panic button. Make sure that the people in the cockpit have a CCTV view of the crew section just outside, so if they see problems they can press the panic button instead of allowing the door to open. The guards may want similar CCTV views of the passenger section.

I would not suggest a bulkhead or cockpit door that can only be opened from the inside, as you need to make sure that in case of say, one pilot being out of the cockpit to relieve themself and the other having a heart attack, the crew can always still get back into the cockpit. Unless the panic button has been pressed.

Short of sedating or shackling all pasengers on all flights, there is no way to totally prevent the posibility of a passenger suddenly grabing another passenger or crewmember and threatening their life. However it is posible to prevent this from turning into control of the plane, or even leverage over the course of the plane.

In the past, giving the hijackers acess to the cockpit and allowing the posibility of an uncheduled trip to Cuba was seen as a lesser evil. In since 11 September 2001 This is clearly no longer the case.

Finally, a foreign policy that does not cause resentment and anger in large parts of the world would alleviate the need for such measures.

Update, December 2001.

Salon.com is today airing a serious proposal. The suggestion is that of virtual no-fly zones. This is software in the airplane's navigation system that steers the craft out of designated areas. It would feel like "soft walls" that increasingly push the plane away. So it literally cannot fly where you it is not supposed to. An argument use in favour of this is that the pilot retains more control than with some of the remote control proposals.

In general, I guess we are going to see much closer attention paid to aircraft that are not following their expected course, and stronger external measures taken against them. This may include onboard or remote methods of steering the craft back where it is supposed to be.

Cabin -> cockpitcommunication: Lets say the pilots are behind a bulkhead, and uncontactable except for a red button for Land This Bird Now. Whats to stop the hijackers using a cellphone or radio transmitter and contacting air traffic control ordering them to communicate with the pilots? ("Tell the pilots to change course to xxx or we start killing passengers"). The problem is not that the hijackers should not be able to talk to the pilots, its that the hijackers should not be able to directly influence the plane's flightpath in anyway. Putting the cabin crew in contact with ATC would make the bulkhead pointless as the hijackers simply demand the cabin crew to get ATC to contact the pilots. This is a really difficult issue to solve.

Changing plane course: What about this: Give the Captain a secretkey code, the co-pilot a secret key code and a specially trainedanti-terroristpassenger a secret key code (this passenger is not known to the crew, the pilots or anybody on the ground who is contactable). The plane has an inbuilt flight plan which CANNOT be diverted from, unless there is a fuelshortage, a mechanicalproblem or another Sitatuation: which would require the Captain, the co-pilot AND the mysterious passenger to input their key codes into the plane. If there is a problem onboard (ie: hijacking), anti-terrorist operative onboard simply remains anonymous and is trained to not provide his/her code NO MATTER WHAT. Just an idea. Difficult to implement, yes. Leaves room for Mr Computer Genius Terrorist to over-ride the code system etc.

If it was easy to secure planes, they would be secure. Its a really difficult task and requires a security chainincredibly long to remain secure.

As an adjunct to bis's ideas of removing the door between the cockpit and the rest of the plane, and dead man switches for the non-cockpit flight crew...

The pilots could monitor the rest of the plane via CCTV, and at the first sign of trouble, release the gas. Everyone onboard except the cockpit crew would be rendered unconscious: terrorists, passengers, and other flight crew. This way nobody gets shot, stabbed, or beaten senseless; and the terrorists are still alive to answer any questions the authorities might have for them.

Although not practical in this day and age, AI Pilots would solve many of these problems. Instead of moving the pilot to a secure location, and using Remote Control, why not just skip the pilot, and have an on-board computer (locked securely away, of course) do all the navigational work.

The computer would have access to weather, GPS and other navigational data. Also, an emergency code changed every flight, and known only to ground control could be used to force the computer to land the plane. The issuer of the code would have no control over where the plane would land, just the fact that it would land ASAP.

The remote control issue with strong encryption is no real large deal as the theory is that any encryption can be broken, __given_sufficent_time__ the point being that even if you used a public key encryption scheme and changed the key after every flight and if all flights last no longer than 22 or so hours, you could still use say PGP for example , you could generate a 1024 bit key wich is a pretty good length and to my knowledge there is no known computer that coulp crack this size Key in 22 hours and even distributed system like seti@home only procees data twice as fast as ASCII white does so we are still looking at something that is definatly not feasable to crack in the alotted amount of time

Secondly as far as overpowering a control signal goes, I would like to point out that just for the record the concorde can land in zero (0) visibility with NO pilot intervention, the auto pilot is good enough to handle landing at heathrow in thick fog

Lastly, GPS is at a point now or even 5 years ago that if you use more than 3 GPS recievers you can us triagulation to get a location resolution of something like 5 cm(2.5 Inches) which is not bad, landing a plane within 10 cm (5 Inches) of the centerline on a 150 foot wide runway is pretty damn good in my book.